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Abstract. We consider pushdown timed automata (PTAs) that are timed au- 
tomata (with dense clocks) augmented with a pushdown stack. A configuration of 
a PTA includes a control state, dense clock values and a stack word. By using the 
pattern technique, we give a decidable characterization of the binary reachability 
(i.e., the set of all pairs of configurations such that one can reach the other) of 
a PTA. Since a timed automaton can be treated as a PTA without the pushdown 
stack, we can show that the binary reachability of a timed automaton is definable 
in the additive theory of reals and integers. The results can be used to verify a 
class of properties containing linear relations over both dense variables and un- 
bounded discrete variables. The properties previously could not be verified using 
the classic region technique nor expressed by timed temporal logics for timed au- 
tomata and CTL* for pushdown systems. The results are also extended to other 
generalizations of timed automata. 



1 Introduction 

A timed automaton ^ can be considered as a finite automaton augmented with a num- 
ber of dense (either real or rational) clocks. Clocks can be reset or progress at rate 
1 depending upon the truth values of a number of clock constraints in the form of 
clock regions (i.e., comparisons of a clock or the difference of two clocks against an 
integer constant). Due to their ability to model and analyze a wide range of real-time 
systems, timed automata have been extensively studied in recent years (see for 
recent surveys). In particular, by using the standard region technique, it has been shown 
that region reachability for timed automata is decidable This fundamental result 
and the technique help researchers, both theoretically and practically, in formulating 
various timed temporal logics |flp]J^pl ^^[3 3[|3"4| ] and developing verification tools 

Region reachability is useful but has intrinsic limitations. In many real-world ap- 
plications [[l4|], we might also want to know whether a timed automaton satisfies a 



A short version [ |l8| | of this paper appears in the Proceedings of the 13th International Con- 
ference on Computer-aided Verification (CAV'Ol), Lecture Notes in Computer Science 2102, 
pp. 506-517, Springer. 
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non-region property, e.g., 

Xi — 2X2 + 2^3 > x'l + Ax'2 — 3X3 

holds whenever clock values (xi,a;2,a;3) can reach (x'j^, 3:3). Recently, Comon and 
Jurski [ |l6[ | have shown that the binary reachability of a timed automaton is definable 
in the additive theory of reals augmented with an integral predicate that tells whether a 
term is an integer, by flattening a timed automaton into a real-valued counter machine 
without nested cycles |]l5[]. The result immediately paves the way for automatic veri- 
fication of a class of non-region properties that previously were not possible using the 
region technique. 

On the other hand, a strictly more powerful system, called a pushdown timed au- 
tomaton (PTA), can be obtained by augmenting a timed automaton with a pushdown 
stack. PTAs are particularly interesting because they contain both dense clocks and un- 
bounded discrete structures. They can be used to study, for instance, a timed version of 
pushdown processes [pl^3|] or real-time programs with procedure calls. A configuration 
of a PTA is a tuple of a control state, dense clock values, and a stack word. The binary 
reachability of a PTA is the set of all pairs of configurations such that one can reach 
the other. Comon and Jurski's result for timed automata inspires us to look for a sim- 
ilar result for PTAs. Is there a decidable binary reachability characterization for PTAs 
such that a class of non-region properties can be verified ? The main result in this paper 
answers this question positively. 

There are several potential ways to approach the question. The first straightforward 
approach would be to treat a PTA as a Cartesian product of a timed automaton and a 
pushdown automaton. In this way, the binary reachability of a PTA can be formulated 
by simply combining Comon and Jurski's result and the fact that pushdown automata 
accept context-free languages. Obviously, this is wrong, since stack operations depend 
on clock values and thus can not be simply separated. The second approach is to closely 
look at the flattening technique of Comon and Jurski's to see whether the technique can 
be adapted by adding a pushdown stack. However, the second approach has an inherent 
difficulty: the flattening technique, as pointed out in their paper, destroys the structure 
of the original timed automaton, and thus, the sequences of stack operations can not be 
maintained after flattening. 

Very recently, the question has been answered positively, but only for integer- valued 
clocks (i.e., for discrete PTAs). It has been shown in [ [l9| | that the binary reachability 
of a discrete PTA can be accepted by a nondeterministic pushdown automaton aug- 
mented with reversal-bounded counters (NPCA), whose emptiness problem is known 
to be decidable [Q. However, as far as dense clocks are concerned, the automata-based 
technique used in [|l9| does not apply. The reason is that traditional automata theories 
do not provide tools to deal with machines containing both real-valued counters (for 
dense clocks) and unbounded discrete data structures. 

In order to handle dense clocks, we introduce a new technique, called the pattern 
technique, by separating a dense clock into an integral part and a fractional part. Con- 
sider a pair (t^o, fi) of two tuples of clock values. We define (see Section ^for details) 
an ordering, called the pattern of (vq^v-C), on the fractional parts of Vq and Vi. The 
definition guarantees that there are only a finite number of distinct patterns. An equiva- 
lent relation "w" is defined such that (vq, Vi)~{v'q^ v'l) iff Vq and v'q (vi and v'l will 
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also) have the same integral parts, and both {vq, Vi) and {vq, v[) have the same pattern. 
The essentially defines an equivalent relation with a countable number of equiv- 
alent classes such that the integral parts of Vq and Vi together with the pattern of the 
fractional parts of Vq and Vi determine the equivalent class of {vq, Vi). A good prop- 
erty of is that it preserves the binary reachability: Vq can reach Vi by a sequence 
of transitions iff Vq can reach v'l by the (almost) same sequence of transitions, when- 
ever {vq, Vi)ai[vQ, v'l). Therefore, the fractional parts can be abstracted away from the 
dense clocks by using a pattern. In this way, by preserving the (almost) same control 
structure, a PTA can be transformed into a discrete transition system (called a pattern 
graph) containing discrete clocks (for the integral parts of the dense clocks) and a finite 
variable over patterns. By translating a pattern back to a relation over the fractional parts 
of the clocks, the decidable binary reachability characterization of the pattern graph de- 
rives the decidable characterization (namely, (D + NPCA)-definable) for the PTA, 
since the relation is definable in the additive theory of reals. With this characterization, 
it can be shown that the particular class of safety properties that contain mixed linear 
relations over both dense variables (e.g., clock values) and discrete variables (e.g., word 
counts) can be automatically verified for PTAs. For instance, 

whenever configuration a can reach configuration /3, + 2^X2 ~ ctx2 > 
#a(aw) - #b{l3v^) holds. 

can be verified, where is the dense value for clock xi in a, #a(ttw) is the num- 
ber of symbols a in the stack word of a. The results can be easily extended to PTAs 
augmented with reversal-bounded counters. In particular, we can show that the binary 
reachability of a timed automaton is definable in the first-order additive theory over re- 
als and integers with > and +, i.e., (R, N, +, >, 0). Essentially, for timed automata, 
Comon and Jurski's characterization (the additive theory of reals augmented with an 
integral predicate) is equivalent to ours (the additive theory of reals and integers). The 
additive theory over reals and integers is decidable, for instance, by the Buchi-automata 
based decision procedure presented in [p^. 

Fractional orderings are an effective way to abstract the fractional parts of dense 
clocks. The idea of using fractional orderings can be traced back to the pioneering work 
of Alur and Dill in inventing the region technique Essentially, the region technique 
makes a finite partition of the clock space such that clock values in the same region 
give the same answer to each clock constraint in the system (i.e., the automaton of 
interest). Comon and Jurski [ [l6| ] notice that Alur and Dill's partition is too coarse in 
establishing the binary reachability of a timed automata. They move one step further 
by bringing in the clock values before a transition was made. But Comon and Jurski's 
partition is still finite, since their partition, though finer than Alur and Dill's, is still 
based on answers to all the clock constraints (there are finitely many of them) in the 
system. In this paper, « deduces an infinite partition of both the initial values t^o and 
the current values Vi of the clocks. Essentially, this partition is based on answers to all 
clock constraints (not just the ones in the system). That is, k, is finer than Comon and 
Jurski's partition as well as Alur and Dill's. This is why the flattening technique JT^ 
destroys the transition structure of a timed automaton but the technique presented in this 
paper is able to preserve the transition structure. A class of Pushdown Timed Systems 



4 



was discussed in [[L0[]. However, that paper focuses on region reachability instead of 
binary reachability. 

This paper is organized as follows. Section previews a number of definitions and, 
in particular, defines a decidable formalism in which the binary reachability of PTAs 
are expressed. Section || and Section ^ give the definition of patterns and show the 
correctness of using patterns as an abstraction for fractional clock values. Section || and 
Section ^ define PTAs and show that the pattern graph of a PTA has a decidable binary 
reachability characterization. Section ^ states the main results of the paper. In Section 
||, we point out that the results in this paper can be extended to many other infinite state 
machine models augmented with dense clocks. 



2 Preliminaries 

A nondeterministic multicounter automaton is a nondeterministic automaton with a fi- 
nite number of states, a one-way input tape, and a finite number of integer counters. 
Each counter can be incremented by 1, decremented by 1, or stay unchanged. Besides, 
a counter can be tested against 0. It is well-known that counter machines with two 
counters have an undecidable halting problem, and obviously the undecidability holds 
for machines augmented with a pushdown stack. Thus, we have to restrict the behaviors 
of the counters. One such restriction is to limit the number of reversals a counter can 
make. A counter is n-reversal-bounded if it changes mode between nondecreasing and 
nonincreasing at most n times. For instance, the following sequence of counter values: 

0,0,1,1,2,2,3,3,4,4,3,2,1,1,1,1,--- 

demonstrates only one counter reversal. A counter is reversal-bounded if it is n-reversal- 
bounded for some fixed number n independent of computations. A reversal-bounded 
nondeterministic multicounter automaton (NCA) is a nondeterministic multicounter au- 
tomaton in which each counter is reversal -bounded. A reversal-bounded nondeterminis- 
tic pushdown multicounter automaton (NPCA) is an NCA augmented with a pushdown 
stack. In addition to counter operations, an NPCA can pop the top symbol from the 
stack or push a word onto the top of the stack. It is known that the emptiness prob- 
lem (i.e., whether a machine accepts some words?) for NPCAs (and hence NCAs) is 
decidable. 

Lemma 1. The emptiness problem for reversal-bounded nondeterministic pushdown 
multicounter automata is decidable. 

When an automaton does not have an input tape, we call it a machine. In this case, 
we are interested in the behaviors generated by the machine rather than the language 
accepted by the automaton. We shall use NPCM (resp. NCM) to stand for NCPA (resp. 
NCA) without an input tape. 

Let N be integers, D = Q (rationals) or R (reals), F be an alphabet. We use N+ 
and to denote non-negative values in N and D, respectively. Each value v G D+ 
can be uniquely expressed as the sum of [w] + [v\ , where [w] e N is the integral part 
of V, and < [wj < 1 is the fractional part of v. A dense variable is a variable over 
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D. An integer variable is a variable over N. A word variable is a variable over F*. Let 
m > 1. For each 1 < i < m, we use Xi,yi, and Wi to denote a dense variable, an integer 
variable, and a word variable, respectively. We use H^aiwi) to denote a count variable 
representing the number of symbol a G J" in Wj. A linear term t is defined as follows: 

t :■= n \ Xi \ Hi \ #aiwi) I t-t I t + t, 

where n € N, o e -T and 1 < z < m. A mixed linear relation I is defined as follows: 

I t>0 I t = I tdiscrete nT-od n = \ -^l \ lAl, 

where i is a linear term, 7^ n e N, and tdiscrete is a linear term not containing dense 
variables. Notice that a mixed linear relation could contain dense variables, integer vari- 
ables and word count variables. A dense linear relation is a mixed linear relation that 
contains dense variables only. A discrete linear relation is a mixed linear relation that 
does not contain dense variables. Obviously, any discrete Unear relation is a Presburger 
formula over integer variables and word count variables. 

Each integer can be represented as a unary string, e.g., string "00000" (resp. "1111 1") 
for integer +5 (resp. —5). In this way, a tuple of integers and words can be encoded as a 
string by concatenating the unary representations of each integer and each of the words, 
with a separator ^ ^ F. For instance, (2, —4, w) is encoded as string "00#llll#u>". 
Consider a predicate H over integer variables and word variables. The domain of H is 
the set of tuples of integers and words that satisfy H. Under the encoding, the domain 
of H can be treated as a set of strings, i.e., a language. A predicate H over integer vari- 
ables and word variables is an NPCA predicate (or simply NPCA) if there is an NPCA 
accepting the domain of H. AiT) + NPC A)-formula f is defined as follows: 

/ "= Idense A H \ Idense V | / V /, 

where Idense is a dense linear relation and H is an NPCA predicate. Therefore, a 
(D + NPCA) formula is a finite disjunction of formulas in the form of Idense A H 
or Idense V H, where dense variables (contained only in each Idense) and discrete vari- 
ables (contained only in each H) are separated. Let p, (7, r > 0. A predicate A on tuples 
in DP X N« X {F* Y is (D + ^YC A) -definable if there is a (D + NPCA)-formula 
/ with p dense variables, p-\-q integer variables, and r word variables, such that, for aU 
a;i , • • • , aip in D, for aU ?/i , ■ • • , yg in N, and for all , • • • , Wr in F*, 

(.xi, ■ ■ ■ ,Xp,yi, - ■ ■ .yq.wi, - ■ ■ ,Wr) & A 

iff/(|_a;ij,---, \_Xp\, [a;i],---, [xp],?/!, ••• ••• holds. 

Lemma 2. (1). Both Idiscrete A H and Idiscrete V H are NPCA predicates, ifldiscrete 
is a discrete linear relation and H is an NPCA predicate. 

(2) . NPCA predicates are closed under existential quantifications ( over integer vari- 
ables and word variables). 

(3) . If A is (D -|- 'NPCA)-definable and lis a mixed linear relation, then both lAA 
and I V A are (D + 'NPCA)-definable. 

(4) . The emptiness (or satisfiability) problem for (D + "NPC A)-definable predi- 
cates is decidable. 
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Proof. (1). Idiscrete IS a Presburger formula. (The domain of) Idiscrete can therefore 
be accepted by a deterministic NCA [^. Hence, Idiscrete A -ff and Idiscrete V can 
be accepted by NPCAs by "intersecting" and "joining" the deterministic NCA and the 
NPCA that accepts H, respectively. 

(2) . Let H be an NPCA predicate containing variable z (either an integer variable or 
a word variable). Assume H is accepted by NPCA M . An NPCA M' can be constructed 
to accept 3zH by guessing each symbol in the encoding of z (on the input tape of M) 
and simulating M. 

(3) . We first show that any mixed linear relation I is definable by a separately mixed 
linear relation V (i.e., I' is a Boolean combination of dense linear relations and discrete 
linear relations. So, V does not have a term containing both dense variables and discrete 
variables.). That is, for all xi , • • ■ , G D, yi , ■ • ■ , G N, 

l{xi, ■ ■ ■ ,Xp,yi, - ■ ■ ,yg) iff Z'([a;iJ, • • •, [xpj, [a;i], • • • , \xp],yi, ■ ■ ■,yq). 

Instead of giving a lengthy proof, we look at an example of I: xi ~ X2 + yi > 2. This 
can be rewritten as: \xi~\ — \x2~\ + yi —2 + [xi] — [x2\ > 0. Term [xi\ — [x2\ is the 
only part containing dense variables. Since [xi\ — [x2\ is bounded, separating cases for 
this term being at (and between) -1,0, 1 will give a separately mixed linear relation I'. 
This separation idea can be applied for any mixed linear relation I. If A is definable by 
a (D + NPCA)-formula /, then I A A (resp. l\/A)is definable hy V A f (resp. V V /). 
By re-organizing the dense linear relations (in I' and /) and the discrete linear relations 
(in I') such that the discrete linear relations are grouped with the NPCA predicates in /, 
I' A f and Z' V / can be made (D + NPCA)-formulas using Lemma ||(1). 

(4) . The emptiness problem for Idense A H and Idense V H is decidable, noticing 
that the emptiness for Idense, which is expressible in the additive theory of reals (or 
rationals), is decidable, and the emptiness of NPCA predicate H is decidable (Lemma 
1). Therefore, the emptiness of any (D + NPCA) formulas, as well as, from Lemma 
2 (3), any (D + NPCA)-definable predicates, is decidable. I 



3 Clock Patterns and Their Changes 

A dense clock is simply a dense variable taking non-negative values in D+. Now we 
fix a fc > and consider k + 1 clocks x = xq, - ■ ■ ,Xk- For technical reasons, xo is 
an auxiliary clock indicating the current time now. Let K = {0, • • • , fc}, and = 
{1, • • • , fc}. A subset K' of K is abused as a set of clocks; i.e., we say Xi £ K' if 
i e K'. A (clock) valuation v is a function K — > D+ that assigns a value in D+ to 
each clock in K. A discrete (clock) valuation u, is a function K N+ that assigns a 
value in N+ to each clock in K. For each valuation v and 6 £ D+, \v~\ , [v\ and v + d 
are valuations satisfying [t;] (i) = [i'(i)], [v\ [i) — [v{i)\ and [v + S){i) — v{i) + 6 
for each i G K. The relative representation t; of a valuation v is a valuation satisfying: 

- \v^ = \vi 

- L^J(o) = Li- W(o)J, 

- [v] (i) = llv\ (i) + lv\ (0)J, for each i e K+. 

A valuation vq is initial if the auxiliary clock xq has value in dq. 
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Example 1. Let fc = 4 and Vi = (4.296, 1.732, 1.414, 5.289, 3.732). It can be calcu- 
lated that vi = (4.704, 1.436, 1.118, 5.993, 3.436). Let V2 = vi + .268 = (4.564, 2, 
1.682, 5.557, 4). Then, V2 = (4.436, 2.436, 1.118, 5.993, 4.436). It is noticed that all 
the fractional parts (except for Vi{Q) and ^2(0)) are the same in Vi and V2- It is easy to 
show that a clock progress (i.e., a;o, • • • , Xfc progress by the same amount such as .268) 
will not change the fractional parts of clock values (for clocks a;i , • • • , Xfc) in a relative 
representation. I 



3.1 Clock Patterns 

We distinguish two disjoint sets, = {0°, ■ • • , fc°} and = {0\ • ■ • , k^}, of in- 
dices. A pattern 77 is a sequence 

for some < n < 2(fc + 1), of nonempty and disjoint subsets of U such that 
- 0° e po and 

In pattern ry, pi is called the i-position. A pair of valuations (t;o,i'i) is initialized if 
vq is initial. The pattern of (vq, Vi) characterizes the fractional ordering between ele- 
ments in [■UqJ and \vi\ (where is for indices of Vq and is for indices of Vi). 
Formally, an initialized pair (vq, fi) has pattern r/ = p^, ■ ■ ■ ,pn, written {vq, Vi) £ ij, 
or [{vq, Vi)] = rj, if, for each < m, m' < n, each b, b' G {0, 1}, and each i, i' G K, 

e Prn and i'^ G pm' imply that 

\vl\ (i) = [vt'l {i') (resp. <) iff m — m' (resp. m < m'). 

Though this definition of a pattern is quite complex, a pattern can be easily visualized 
after looking at the following example. 

Example 2. Consider Vi in Example |l] and an initial valuation t>o = (0, 3.118, 5.118, 
2, 1.876). Since is initial, = Vq. The fractional parts of Vq and Vi, in the relative 
representation, can be put on a big circle representing the interval [0, 1) as shown in 
Figure |l]. Each fractional value [vqI (i) for Vq is represented by an oval; each fractional 
value [vi\ (i) for Vi is represented by a box. The pattern of {vo, Vi) can be drawn by 
collecting clockwisely (from the top, i.e., Vq{0) = 0) the indices (superscripted with 0, 
e.g., 3° for tJo(3)) for each component in Vq and the indices (superscripted with 1, e.g., 
3^ for Vi{3)) for each component in Vi; i.e., the pattern is 



withpo = {0",3"},pi = {I0,20,2i},p2 = {l\4i},p3 = m,P4 = {4"},P5 = 
{3I}. ■ 

There are at most 2^^'^+^)^ distinct patterns. Let (p denote the set of all the patterns 
(for the fixed k). A pattern is initial if it is the pattern of {vq,Vo) for some initial 
valuation t;o- If V is the pattern of {vq,vi), we use init{r]) to denote the pattern of 
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Fig. 1. A graphical representation of the fractional parts of vq and vi in a relative 
representation in Example ^ That is, [vqI = (0, .118, .118, 0, .876) and [^7lJ = 
(.704, .436, .118, .993, .436) as in Example and [l|. Ovals are for components in [vo\ 
and boxes are for components in [■Ui J . For instance, the oval labeled by ■Cq (4) corre- 
sponds to [v^\ (4) = .876. 



{vo,Vo). init{ri) is unique for each ry. Given two initiaUzed pairs {vq, Vi) and {vq, V2), 
we write {vl,Vi)Ki[vQ,V2), if {vq,Vi) and (t^Q, ^2) have the same pattern, and have 
the same integral parts (i.e., = [iJq], — [1)2]). The following lemma can be 
observed. 

Lemma 3. For any two initialized pairs {vq, vi) and {vq, V2) with (vq, t>i)«(t>Q, V2), 
the following statements hold: 

(1) . the pattern of{vQ, Vi) is initial iff [vi\ — [vq], 

(2) . Vi is initial (i.e., Vi{Q) — 0) iff V2 is initial, 

(3) . vi = vl iffv2 = vj. 

A valuation Vi has pattern rj if there is an initial Vq such that {vq, Vi) has pattern 
rj. Vl may have a number of patterns, by different choices of Vq. A pattern of Vi tells 
the truth values of all the fractional orderings [vi\ (i)# [t^ij (j) and [vi\ (i)#0 (where 
^ stands for <,>,<, >, =.), for all i, j G K^, as shown in the following lemma. 

Lemma 4. Let 77 = po, ■ • ■ ,Pn be a pattern of a valuation v. Assume 0^ G Pi for some 
< i < n. Then, for any mi and "012 (with < mi, 7712 < n), for any ji and j2 in 
(with jl & Pmi and j\ G Pmaj, the following statements hold. 

(1) . lv\{ji) > \y\{j2) iff one of the following conditions holds: 

mi < i < m2, 
TO2 < fTT-i < i, 
i < m2 < mi. 

(2) . [v]{ji) = hJ(j2) iff -mi = m2. 

(3) . [v\Ui)>Oiffmi^t. 
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(4). [v\{n)^QijfTm^i. 

Proof. Directly from the definition of a pattern. I 

Recall i)^ ^ stands for the index for the value of clock xi^ (representing now) 
in Vi. Let 77 = po, ■ • • , p„ be a pattern, pi is the now-position of 77 if 0^ G Pi. A pattern 
Tj is regulated if the now-position of 77 is po- Note that the pattern of an initialized pair 
(vo, ■Ui) is regulated if and only if the auxiliary clock takes an integral value in t;i 
(i.e., \yi\ (0) = 0). A pattern is a merge-pattern if the now-position is a singleton set 
(i.e., 0^ is the only element). A pattern is a split-pattern if it is not a merge-pattern, 
i.e., the now-position contains more than one element. ("Merge" and "split" will be 
made clear in a moment.) Obviously, a regulated pattern is always a split-pattern. This 
is because the now-position of a regulated pattern, which is pq, contains at least two 
elements O" and 0^. 

3.2 Clock Progresses 

For each < (5 G D+, + 5 is the result of a clock progress from v by an amount of 5. 
How does a pattern change according to the progress? Let us first look at an example. 

Example 3. Consider Vi,V2 (= Vi + .268) in Example |l], and Vq in Example In 
Example |[ we indicated that the pattern 771 of {vq, f 1) is 

{0°, 3°}, {1°, 2°, 2i}, {1\ 4I}, {Qi}, {4«}, {3I}. 

Similar steps can be followed to show that the pattern 7^2 of {vq, V2) is 

{0",3°},{l°,2«,2i},{li,4\0i},{40},{3i}. 

A helpful way to see the relationship between rji and 772 is by looking at Figure |l]. 
Holding the box labeled by vi{0) (for the current time) and sliding counter-clockwisely 
along the big circle for an amount of .268 will stop at the box labeled by ■Ui(l) and 
Vi{4:)- Thus, the pattern 772 (after sliding) is exactly 771 (before sliding) except that 0^ in 
the 3-position in 7/1 is merged into the 2-position in 7^2. Notice that rji is a merge-pattern 
and the resulting 7/2 is a split-pattern. The integral parts and [t;i](4) change 

to [^21(1) = [■"iKl) + 1 and ri'2l(4) = [■yil(4) + 1. But all the other components 
of \vi~\ do not change. The reason is that, after merging 0^ with 1^ and 4^ in 7^2, the 
fractional parts [1)2] (1) and lv2\ (4) are "rounded" (i.e., become 0). What if we further 
make a clock progress from V2 for an amount of S' = .12? The resulting pattern 7/3 of 
(I'O) ■I's) with V3 = t>2 + S' is the result of splitting 0^ from the 2-position {1^, 4^, 0^}. 
That is, 7/3 is 

{0°, 3"}, {1°, 2°, 2i}, {Qi}, {1\ 4I}, {4°}, {3I}, 

which is a merge-pattern again. This process of merging and splitting can be formally 
defined as the following function next. I 

Function next : <P x (N+)'''+^ ^ ^ x (N+)'^+'^ describes how a pattern changes 
upon a clock progress. Given any discrete valuation u and pattern rj ~ po, ■ ■ ■ ,pn with 
the now-position being pt for some i, next{r], u) is defined to be (7;', u') such that. 
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- (the case when 77 is a merge-pattern) if i > and |pi | = 1 (that is, the now -position 

= {0^}), then r/ is 

PO, - ■ ■ ,Pz^l^ {0^},Pi+l, - ■ ■ ,Pn 

(that is, f]' is the resuh of merging the now-position to the previous position), and 
for each j £ K^, if G Pi-i, then u'{j) = u{j) + 1 else u'{j) — u{j). Besides, 
if i = 1 (i.e., the now-position is merged to poi in this case, 77' is a regulated pattern), 
then m'(0) = w(0) + 1 else m'(0) = w(0), 

- (the case when 77 is a split pattern) if i > and \pi\ > 1, then rj' is the result of 
splitting 0^ from the now-position. That is, if i > 0, 77' is 

PO,--- ,Pi-l, {0^},Pi - {0^},Pi+l, ■■■,Pn- 

However, ifi — 0, rj' is 

Po-{0^},Pi,---,P„,{Oi}. 

In either case, u' = u. 

If next{r], u) — {rf , u'), (1). rj' is called the next pattern of rj, written Next{rf), (2). 
Ar, G {0, 1}'^'+^ is called the increment vector of 77 with Zi,, = u' — u. Obviously, 
Next{rj) ^ rj and Next{-) is total and 1-1. 

To better understand Next{-), we visualize pattern 77 as a circle shown in Figure ^. 
Applications of Next{-) can be regarded as moving the index 0^ along the circle, by 
performing merge-operations (Figure ^ (a)) and split-operations (Figure || (b)) alterna- 
tively. After enough number of applications of Next{-), 0^ will return to the original 
now-position after moving through the entire circle. That is, for each pattern 7/, there 
is a smallest positive integer m such that Next"^{rf) = rj; i.e., 7/0, • • ■ ,77r?j satisfies 
Tjo = rjm ^ '7, and Next{rji) — 77^+1 for each < i < 777. More precisely, by looking at 
Figure ^ if 77 is a merge-pattern, m = 2n; if 77 is a split-pattern, m — 2{n + l). Further- 
more, elements ?7o, ■ • • , Vm-i are distinct. The sequence ?7o, • • • , fjm is called a pattern 
ring. The pattern ring is unique for each fixed rjQ. Notice that next^lrj, u) — {rj,u + 1) 
for each u. Since the next pattern Next{rf) is a merge-pattern (resp. split-pattern) if 7/ is 
a split-pattern (resp. merge-pattern), on a pattern ring, merge-patterns and split-patterns 
appear alternately. 

Fix any initialized pair (t;o, v) and < (5 £ D+. Assume the patterns of (t>o, v) 
and (t^oi V + 5) ait rj and 77', respectively. We say v has no pattern change for 6 if, for 
all < (5' < (5, {vf),v + 5') has the same pattern. We say v has one pattern change 
for 5 if Next{rj) = rj' and, for all Q < 5' < 5, (i^o, v + 5') has pattern 7/, or, for all 
Q < 5' < 5, (i^o, V + 5') has pattern 7/. The following lemma on the correctness of 
next can be observed. 

Lemma 5. For any initialized pair (vq, v) and any < (5 e D+, the following state- 
ments are equivalent: 

(1) . next{[{vo,v)], \v]) = {[{va,v + 6)], \v + S]), 

(2) . V has one pattern change for 6. 
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(b) 



Fig. 2. A graphical representation of a pattern 77 — po, ■ ■ ■ ,pn- Operator Next{-) has 
the same effect as moving the now-position counter-clockwisely. In case (a), the now- 
position is merged to the previous position. In case (b), index 0^ is split from the now- 
position. 

We say v has n pattern changes for 5 with n > 1, if there are positive ^i, • • ■ , (5„ in 
D+ with Si<i<_n5i — 5 such that v + Si<:i<j5i has one pattern change for (5j+i, for 
each j = 0, • ■ • , n — 1. It is noticed that for any 5 <l,v has at most m pattern changes, 
where m is the length of the pattern ring starting from the pattern ?/ of {vq, v). This m 
is uniformly bounded by 4(fc + 1). 

Lemma 6. For any initialized pair {vq,v) and any 5 G D"*", (1) v has at most A{k + 1) 
pattern changes for S if S < 1, (2) v has at least one pattern change for S if S > 1, (3) 
ifv has no pattern change for 5 then \v\ = \v + S]. 

3.3 Clock Resets 

In addition to clock progresses, clock resets are the other form of clock behaviors. Let 
r C be (a set of) clock resets, v denotes the result of resetting each clock Xi & r 
(i.e., i e r). That is, for each i G K, 

, / if i e r 

^ * '^^ 1^ Otherwise. 

Example 4. Consider Vq and Vi given in Example ^ and Example |l]. Assume r = 
{4}. By definition, Vi ir= (4.296, 1.732, 1.414, 5.289, 0). It can be calculated that the 
relative representation of Vi Ir is (4.704, 1.436, 1.118, 5.993, 0.704). The pattern of 
ii>o,vi Ir) can be figured out again by looking at Figure |l]. The reset of clock can 
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be conceptually regarded as moving the label t'i(4) from the box of tJi(l) and i'i(4) to 
the box of ■Ui (0) (the current time). Therefore, the pattern after the reset changes from 

{0°, 3°}, {1°, 2", 2i}, {1\ 4I}, {Qi}, {4"}, {3I} 

of {Vo,Vi) to 

{0", 3°}, {1°, 2", 21}, {li}, {0\ 4I}, {4«}, {3I} 
of {vf),Vi Ir) by moving 4^ into the position containing 0^. I 

Functions reseU : ^ x (N+)''+i ^ ^ x (N+)''+i for r C A'+ describe how 
a pattern changes after clock resets. Given any discrete valuation u and any pattern 
■q = po, ■ ■ ■ ,Pn with the now-position being pi for some i, resetr{'i], u) is defined to be 
[r]', u') such that, 

- 7/ is Po ~ r^,-- ■ ,Pi-i - r^,Pi U r^,Pi+i - , ■ ■ ■ ,Pn - r^, where = {j^ : 
j G r} C K^. Therefore, 77' is the result of bringing every index in into the 
now-position. Notice that some of Pm — may be empty after moving indices in 

out of Pm, for m ^ i.ln this case, these empty elements are removed from rj' 
(to guarantee that 77' is well defined.), 

- for each j G K, if j e r, then tt'(j) = else u'{j) = u{j). 

If resetr{ri, u) — {rj' ,u'), r\' is written as ReseU (rj). Note that Resetr{rj) is unique 
for each r] and r, and is independent of u. The following lemma states that reset is 
correct. 

Lemma 7. For any initialized pair (t^o, and any r C iir+, 

resets ([(t>o,f)], M) = ([(^'o,'" -Lr)], iA)- 

4 Clock Constraints and Patterns 

An atomic clock constraint (over clocks xi, • • • , a;fe, excluding xq) is a formula in the 
form of Xi — Xj^d or Xi^d where < d G N+ and # stands for <,>,<,>,=■ A 
clock constraint c is a Boolean combination of atomic clock constraints. Let C be the 
set of all clock constraint (over clocks xi, • ■ • , Xk). We say t; G c if clock valuation v 
(for xq, - ■ ■ , Xk) satisfies clock constraint c. 

Any clock constraint c can be written as a Boolean combination /(c) of clock con- 
straints over discrete clocks [xi], • • • , \xk] and fractional orderings [a;ij#[a:;jj and 
[a;ij#0. For instance, —Xj < d is equivalent to: [x^] — [xj] < d, or, [xi] — [xj] — d 
and lxi\ < lxj\. xi > dis equivalent to: \xi \ > d, or, \xi \ = d and [xij > 0. There- 
fore, testing t) G c is equivalent to testing [v] and the fractional orderings on [v\ 
satisfying /(c). 

Assume v has a pattern i] = po, ■ ■ ■ ,pn- A fractional ordering on [v\ is equivalent 
to a Boolean condition on 77, as shown in Lemma ^. Whenever 77 is fixed, each fractional 
ordering in /(c) has a specific truth value (either or 1). In this case, we use /(c)"*, or 
simply c'', to denote the result of replacing fractional orderings in /(c) by the truth 
values given by 77. c^, without containing fractional orderings, is just a clock constraint 
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(over discrete clocks). Notice that the pattern space is finite, therefore, t; G c is 
equivalent to 

\J {v has pattern r/ A [v] G c^). 

Hence, the truth value of d e c only depends on a pattern of v and the integral parts 
of V. These observations conclude the following results. In particular. Lemma ^ (2) 
indicates that it is sufficient to test the two end points v G c and v + S G cin order to 
make sure that c is consistently satisfied on each v + S' , < S' < S, if from v to v + 5, 
there is at most one pattern change. 

Lemma 8. (1). For any initialized pair (vq , v), any pattern rj £ (p, if (vq , v) has pat- 
tern rj, then, for any clock constraint c £ C, v £ c ijf \v~\ G c^. 

(2) . For any initialized pair (vq^v) and any < S £ D+, if v has at most one 
pattern change for 5, then, for any clock constraint c £ C, 

VO < (5' < 6{v + 6' ec) iffv ecandv + 6 ec. 

(3) . For any initialized pairs (vq,Vi) and (vq,V2), if {vQ,Vi)Ki(vQ,V2), then, for 
any c E C, Vi £ c iffv2 € c. 

Proof. (1) is from the observations made before this lemma in this section. (2) is from 
(1) and Lemma || (3) is directly from (1). I 

Now, we consider two initialized pairs {vq, Vi) and {vq, V2) such that 

ivl,Vi)^{vl,V2). 

That is, from the definition of w, (resp. Vi) has the same integral parts as Vq (resp. 
V2). Besides, the two pairs have the same pattern. From Lemma^(3), any test c € C will 
not tell the difference between Vi and V2- Assume Vi can be reached from a valuation 

via a clock progress by an amount of 61, i.e., + 5i — Vi. We would like to 
know whether V2 can be reached from some valuation also via a clock progress 
but probably by a slightly different amount of 62 such that {v^, v^) and {vq, v'^) are 
still equivalent(«). We also expect that for any test c, if during the progress of v^, 
c is consistently satisfied, then so is c for the progress of v^. The following lemma 
concludes that these, as well as the parallel case for clock resets, can be done. This result 
can be used later to show that if t>i is reached from Vq by a sequence of transitions that 
repeatedly perform clock progresses and clock resets, then V2 can be also reached from 

via a very similar sequence such that no test c can distinguish the two sequences. 

Lemma 9. For any initialized pairs (vq, Vi) and {vq, V2) with (vj, Vi) q, V2), 

(1). for any < Si € D^", for any clock valuation v^, if + 61 = Vi, then there 
exist < ^2 G and clock valuation v"^ such that 

(1.1) . v'^ +62 ^ V2 and (vj, v^)^{vq, v'^), 

(1.2) . is initial iff v'^ is initial, 

~ Vq iffv^ = Dq, and 
for any c E C, £ c (resp. Vi G c) iff G c (resp. V2 G c). 
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(1.3). for any clock constraint c G C, VO < (5' < (5i(t;^ + (5 £ c) ijfiQ < 5' < 
Siiv"^ + 6 e c). 

(2). for any r C K^, for any clock valuation v^, if [r— fi, then there exists a 
valuation v'^ such that 

(2.1) . t)2 lr= V2 and (v^, v^), 

(2.2) . same as (1.2). 

Proof. (1). Assume 5i is "small", i.e., from to Vi = v'^ + 5i, there is at most one 
pattern change. Let r] = p^, - ■ • ,pn\)& the pattern for (vq, V2) (and, hence, for (iJq, Vi)). 
Assume 0^ G pi for some i. If 5i causes no pattern change for v^, then simply take 
82 — 0. If 5i causes one pattern change for v^, then we put (vq, V2) on a circle (e.g. 
Figure |l]). If 77 is a split-pattern (i.e., \pi \ > 1), then we separate a new box (only labeled 
by [v2\ (0)) from the original box labeled by [1^2] (0) and slide the new box backwards 
(i.e., clockwisely) for a small positive amount (taken as without hitting any box or 
oval. If ?7 is a merge-pattern (i.e., \pi\ = 1), then we slide the box labeled by [tJJJ (0) 
(this is the only label) backwards (i.e., clockwisely) for a positive amount (taken as ^2) 
until a box or an oval is hit. Take = V2 — 62- Obviously, {vl,v^)Ki(vl, v'^). It can 
be checked that (1.2) and (1.3) hold using Lemma |^ and Lemma ^ 

Any larger 61 that causes multiple pattern changes for can be split into a finite 
(Lemma H) sequence of small 6's that causes exactly one pattern change. In this case, 62 
can be calculated by working on each small 6 (the last one first) as in the above proof. 

(2). The case when r = is obvious. Assume r contains only one element j G A'+. 
Assume rj is the pattern of {vq,v^). A desired is picked as follows. The integral 
parts of are exactly those of v^; i.e., \v'^~\ — \v^^. The fractional parts of are 
exactly those of V2, except that, in the relative representation, [v^J (j) may be different 
from [tJJJ (j)- Then what is [v^] (j)? It is chosen such that the pattern of v^) is 
rj. For instance, if [v^] (j) equals to, say, [vi] (ji) (resp. [vq] (ji)), for some ji, then 
[d^JQ') is picked as [t^J(ji) (resp. L'^oJOi))- L'"^J(j) li^^ strictly between, say, 
L^J (ji) (Of' hoJ (ji)) ™d L^^(j2) (or, [vl\ (j2)), for some ji and j2, such that no 
other component in [v^J and [vqJ lies strictly between these two values, then [v^JO) 
is picked as any value lies strictly between [t^J(ji) (or, [foJlii)) and [t^J(j2) (or, 
[t)Qj(_72)) accordingly. Since {vQ,vi)ai(vQ,V2), we can show lv^\{j) can always be 
picked. The choice of [v"^] [j) guarantees that the pattern of (v^, v^) is the same as the 
pattern of {vq, v"^). The rest of conditions in (2) can be checked easily. 

For the case when r contains more than one element, the above proof can be gener- 
alized by resetting clocks in r one by one. I 

5 Pushdown Timed Automata 

A pushdown timed automaton (PTA) ^ is a tuple 

(5, {xi, • • ■ , Xk},Inv, R, r, PD), 



where 
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- 5' is a finite set of states, 

- xi, - ■ ■ ,Xk are (dense) clocks, 

- Inv : S ^ C assigns a clock constraint over clocks xi, - ■ ■ ,Xk, called an invariant, 
to each state, 

- R : S X S ^ C X 2^^^-'"'^''^ assigns a clock constraint over clocks xi, ■ ■ ■ ,Xk, 
called a reset condition, and a subset of clocks, called clock resets, to a (directed) 
edge in X S", 

- r is the stack alphabet. PD : S x S ^ F x F* assigns a pair (a, 7) with a E F 
and J E F*, called a stack operation, to each edge in 5 x 5*. A stack operation 
(a, 7) replaces the top symbol a of the stack with a string (possibly empty) in F*. 

A timed automaton is a PTA without the pushdown stack. 

The semantics of A is defined as follows. A configuration is a triple (s, v, w) of a 
state s, a clock valuation v onxo, - ■ ■ , Xk (where xo is the auxiliary clock), and a stack 
word w e F*. (si, Di, wi) — >^ (s2, f 2, W2) denotes a one-step transition of A if one 
of the following conditions is satisfied: 

- (a progress transition) si = S2, wi = W2, and 30 < (5 G D+, V2 = Vi + S and for 
aU S' satisfying < 5' < 6, Vi+S' E Inv{si). That is, a progress transition makes 
all the clocks synchronously progress by amount S > 0, during which the invariant 
is consistently satisfied, while the state and the stack content remain unchanged. 

- (a reset transition) Vi E Inv{si) A c, Vi V2 E Inv{s2), and wi — aw, W2 = 
jw for some w E F*, where i?(si, S2) = (c, r) for some clock constraint c and 
clock resets r, and PD{si, S2) = {a, 7) for some stack symbol a E F and string 
7 E F*. That is, a reset transition, by moving from state si to state S2, resets 
every clock in r to and keeps all the other clocks unchanged. The stack content 
is modified according to the stack operation (0,7) given on edge (si,S2). Clock 
values before the transition satisfy the invariant Inv{si) and the reset condition c; 
clock values after the transition satisfy the invariant Inv{s2)- f\ 

We write to be the transitive closure of -^a- Given two valuations Vq and Vi, 
two states sq and si, and two stack words wq and wi, assume the auxiliary clock xq 
starts from 0, i.e., Vq is initial. The following result is surprising. It states that, for any 
initialized pair {vl,V2) with {vl,Vi)^{vl,V2), {sq,Vq,wo) -^*^ {si,vi,wi) if and 
only if {so,Vq,wo) — >^ (si, t;2, wi). This result implies that, from the definition of «, 
for any fixed so,si,wq and wi, the pattern of ([I'JJ, [I'lJ) (instead of the actual values 

' A reader might wonder why we don't have a stack operation for a progress transition. That is, 
a state s can also be assigned with a stack operation (a, 7) such that each progress transition 
by an amount 5 > on state s also modifies the stack content according to (a, 7). However, 
this progress transition can be treated as a sequence of three transitions: a progress transition 
(without a stack operation) by 5i > 0, a clock reset transition (by adding a dummy clock) 
performing stack operation (a, 7), followed by a progress transition (without a stack operation) 
by (52 > 0, whenever S — S1 + S2. A translation can be worked out by expressing any PTA with 
a stack operation for each progress transition by a PTA defined in this paper. Since we focus 
on the clock/stack behaviors of a PTA, instead of the ti;-language accepted by it, input symbols 
are not considered in our definition. (The input to a timed automaton is always one-way. Thus, 
input symbols can always be built into states.) 
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of [vqI and [fij), the integral values and the integral values \vi~\ are sufficient 
to determine whether {sq, Vq, wq) can reach (si, Vi, wi) in A. 

Lemma 10. Let Abe a PTA. For any states sq and si, any two initial clock valuations 
Vq and Vq, any two clock valuations Vi and V2, and any two stack words wq and wi, if 
{vl,Vi)Ri{vl,V2), then, 

{sq,vI,wq) ~>\ {si,vi,wi) iff{sQ,vl,wo) -^*^ {si,V2,Wi). 

Proof. Lemma ^ and Lemma ^ already give the result, but for instead of 
noticing that Lemma ^ guarantees that tests (and obviously stack operations) are con- 
sistent in {sq,vI,wq) {si,vi,wi) and in {sq,vI,wo) -^a (si, t;2, wi)- An in- 
duction (on the length of -^^) can be used to show the lemma, by working from 
(si,tii,u;i) backto (so, Vo,u;o)- ■ 

Example 5. It is the time to show an example to convince the reader that Lemma [l^ in- 
deed works. Consider a timed automaton A shown in Figure^. Let v^ = (0, 4.98, 2.52), 




i»3 = (5.36, 2.89, 7.88). (si, — >^ (s2,t;3)is witnessed by: {si,vl) — >^ (progress 
by 2.47 at si) {si,vl) (reset xi and transit to S2) (s2, '"2) ^-4 (progress by 2.89 
ats2) (s2,t'J). Takeanewpairtjg = (0, 4.89, 2.11), ■?;§ = (5.28, 2.77, 7.39). It is easy 
to check {vQ,vl)Ri{vQ,v-^). From Lemma |lo[ (si, Vq) (s2,i;§). Indeed, this is 
witnessed by (si, Vq) ^a (progress by 2.51 at si) (si, vf) (reset xi and transit to 
S2) (52,^2) (progress by 2.77 at S2) (s2, v"^)- These two witnesses differ slightly 
(2.47 and 2.89, vs. 2.51 and 2.77). We choose 2.77 and 2.51 by looking at the first wit- 
ness backwardly. That is, V2 is picked such that {vq, V2)^{vq, v^)- Then, v^ is picked 
such that {vq, )«(i;J, v}). The existence of V2 and v^ is guaranteed by Lemma ^. 
Finally, according to Lemma ^ again, is able to go back to Vq. This is because v\ 
goes back to Vq through a one-step transition and v^ is initial. I 

Now, we express in a form treating the integral parts and the fractional parts of 
clock values separately. For any pattern rj <E (P, any discrete valuations Uq and tti, and 
any stack words wq and wi, define {sq, Uq, wq) -^*^ ^ (si, iti, wi) to be 

3vq3vi{vq{Q) = a \vq'\ =UqA \vi'] = Ui 



A{vq,Vi) e ry a {sq,Vq,wq) -^*^ {si,Vi,wi)). 
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Lemma 11. Let Abe a PTA. For any states sq and si, any initialized pair (vq, Vi), 
and any stack words wq and Wi, {sq,Vo,wo) —>-*j^ {si,Vi,wi) ijf 

V ((W, hiJ) e 7? A (so, [vol, Wo) ^X'j [■"iL^'i))- 

Proof. (=>) is immediate. 

(<^=) uses the following observation (from the definition of ^ and Lemma ^0|): 
for any pattern -q, ([foj, £ ?7 A (so, [foLwo) -^^a,^ (si, [viljWi) implies 

([t!oJ, e ?7 A (so, [vol + hoJ,w;o) T'^il + L^iJ.w'i)- ■ 

Once we give a characterization of ^, Lemma [ll] immediately gives a char- 
acterization for Fortunately, the characterization of — >^ is a decidable one, as 
shown in the next section. 

6 The Pattern Graph of a Timed Pushdown Automaton 

Let A = {S, {xi ,Xk}, Inv, R, F, PD) be a PTA specified in the previous section. 
The pattern graph G of ^ is a tuple 

{S x$,{yo,---,yk},E,F) 

where 

- 5' is the states in A, 

- ^ is the set of all patterns. A node is an element in S* x ^, 

- Discrete clocks ya, - ■ ■ ,yk are the integral parts of the clocks xq, - ■ ■ , Xk in A, 

- i? is a finite set of (directed) edges that connect between nodes. An edge can be 
a progress edge, a stay edge, or a reset edge. A progress edge corresponds to 
progress transitions in A that cause one pattern change. A stay edge corresponds 
to progress transitions in A that cause no pattern change. Since a progress transi- 
tion can cause no pattern change only from a merge-pattern, a stay edge connects 
a merge-pattern to itself. A reset edge corresponds to a reset transition in A. For- 
mally, a progress edge es^n,ri' that connects node (s, 77) to node (s, ry') is in the form 
of {{s,J]),c, {s,r]')) such that c — Inv{s), 77' = Next{rj) (thus -q ^ -q'). A stay 
edge es,rj,rj, with 77 being a merge-pattern, that connects node (s, rj) to itself is in 
the form of ((s, 77), c, (s, 7;)) such that c — Inv{s). A reset edge ^/ ,,,(0,7) that 
connects node (s, 77) to node (s', 77') is in the form of 

{{s,v),c, r,a,'y, (s',77')) 

where R{s, s') = (c, r) and PD{s, s') — (a, 7). E is the set of all progress edges, 
stay edges, and reset edges wrt A. Obviously, E is finite. 

A configuration of G is a tuple (s, 77, u, w) of state s e 5, pattern rj G <P, discrete 
valuations e (N+)'^+^ and stack word if G F*. {s,j],u,w) {s' ,r]' ,u' jw') de- 
notes a one-step transition through edge e of G if the following conditions are satisfied: 
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- if e is a progress edge, then e takes the form ((s, rj), c, (s, ?/)) and s' = s, tt G c**, 
u' ^ , next{ri, u) — {rj' , u') and w — w'. Here c'' and c'' are called the pre- 
and the /?o5f- (progress) tests on edge e, respectively. 

- if e is a stay edge, then e takes the form ((s, 77), c, (s, ?/)) and s — s' ,u E c^\u — 
u' ,7] ^ f]' and w ~ w' . Here c** is called the pre- and the post- (stay ) tests on edge 
e. 

- if e is a reset edge, then e takes the form ((s, ry), c, r, a, 7, (s', 77')) and u £ (c A 
Inv{s))^, u' G Inv{s')^ , resetr(^r],u) = {rj',u') and w — aw",w' = jw" 
for some w" G F* (i.e., w changes to w' according to the stack operation). Here 
(c A Inv{s))^ and Inv{s'Y' are called the pre- and the post- (reset) tests on edge 
e, respectively. 

We write (s, 77, m, w) -^g {s' , ifi ■, '^') if (s; ''^i ^) m', 'fi'') for some e. 

The binary reachability of G is the transitive closure of -^g- 

The pattern graph G simulates ^ in a way that the integral parts of the dense clocks 
are kept but the fractional parts are abstracted as a pattern. Edges in G indicate how the 
pattern and the discrete clocks change when a clock progress or a clock reset occurs 
in A. However, a progress transition in A could cause more than one pattern change. 
In this case, this big progress transition is treated as a sequence of small progress tran- 
sitions such that each causes one pattern change (and therefore, each small progress 
transition in A can be simulated by a progress edge in G). We first show that the bi- 
nary reachability — >q of G is NPCA. Observe that discrete clocks yo, - ■ ■ ,yk are the 
integral values of dense clocks xq, - ■ ■ ,Xk- Even though the dense clocks progress syn- 
chronously, the discrete clocks may not be synchronous (i.e., that one discrete clock is 
incremented by 1 does not necessarily cause all the other discrete clocks incremented 
by the same amount.). The proof has two parts. In the first part of the proof, a technique 
is used to translate yo, - ■ ■ ,yk into another array of discrete clocks that are synchronous. 
In the second part of the proof, G can be treated as a discrete PTA [190 by replacing 
2/O7 • ■ • 7 with the synchronous discrete clocks. Therefore, Lemma |l2 is obtained from 
the fact @ that the binary reachability of discrete PTA is NPCA.| 

Lemma 12. For any PTA A the binary reachability of the pattern graph G of A 
is NPCA. In particular, if A is a timed automaton, then the binary reachability — >q is 
Presburger 

Proof. We start with a technique that makes discrete clocks yo, - ■ ■ ,yk (i-e., the integral 
parts of dense clocks) synchronous on any path of G. 

A pattern ordering graph V is a directed graph on For each (ordered) pair {ri,ri') 
in ^ X (I>, {ri,ri') is a progress edge, written r/ — >p ry', if Next{rj) — rj'. In this case, 
we say the edge has label p (stands for "progress") and 77' is called the p-successor of 
77. (77,77') is a reset edge with r C K^, written rj -^r v'^ if Resetr{rj) = r]' . In this 
case, we say the edge has label r and 77' is called the r-successor of rj. An edge can have 
multiple labels. 

^ For the purpose of this paper, we assume in Lemma [l^ is restricted in such a way that 77 
is a regulated pattern whenever (s, r), u, w) —>q (s', 77', u' ,w'). This is because the auxiliary 
clock XQ in A starts from 0. 
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A path T on P is a sequence of edges 

% ^(i Vm 

such that each li is a label (either p or some r C K~^). j G K'^ is reset on path t if 
j & k for some 1 < i < m. Path r is a p-path if each edge on the path is a 

progress edge; i.e., label Zj is p for aU 1 < i < m. Path r is a regulated path if % is a 
regulated pattern. Path r is a p-ring ofr]o if r is a p-path, and ??0) • " ' > is the pattern 
ring of 770. 

Now we augment V with counters y {= yor " ^Vk) taking values in (N+)'^+^. 
Values of counters y change along a path in V. For each progress edge rj -^p rj', 
counters y change to y' as follows: y' ■= y + Arj (recall A^, is the increment vector 
for T]), consistent to the definition that next{r], y) = {rj', y + A^,). For each reset edge 
77 -^r T]', counters y change to y' as follows: y' := y Ir, consistent to the definition 
that resetr{r], y) = (7?', y ir)- For a p-path r = ryo, • • • , '7m, = ^o<i<m-i^?7i is 
the net increment for counters y after walking through the path. In particular, A^- = 1 
for each p-ring t. 

A progress edge rj — >j, r]' is add-1 if r]' is a regulated pattern. A path is short if it is 
a regulated path and, it does not contain an add-1 edge or it contains an add-1 edge but 
only at the end of the path. A path is add-1 if it is a short path containing an add-1 edge. 
By definition, an add-1 path starts and ends with regulated patterns and each pattern in 
between along the path is not a regulated pattern. The following lennma is directly from 
the definitions of reset and next. 

Lemma 13. For any path r, (1). ifr is a short path, then for each i S that is reset 
on T, Ui has value at the end ofr, (2). ifr is an add-1 path, then for each i G 
that is not reset on t, yi has progressed by exactly 1 at the end ofr. 

When walking along a path in V, a counter in y is always nondecreasing except 
sometimes it resets. However, counters y are not synchronous: that one counter's ad- 
vancing by 1 at some progress edge does not always cause all the other counters to 
advance by the same amount. 

Now we are going to show that, on any regulated path, y can be simulated by a set of 
synchronous counters z = zq, • • • , z^. The ideas are as follows. Let t be any regulated 
path of P. T then can be concatenated by segments: a number of add-1 paths followed 
by a short path. We introduce an increment vector A e {0, 1}^+^ to denote how much 
a counter in y progresses on a segment. Besides, we use / C to remember the 
indices i G that are reset on each segment. Assume counters y walk through r and 
change counter values from uto u'. Then, in the simulation, counters z starts from u 
with A = and J = 0. After walking through t (while updating A and I along the 
path), counters z have values satisfying u' = {z + A) J,/. The simulation is defined by 
the following translation. For each progress edge — >j, ry', the instruction y' := y-^-A^ 
is replaced by: 

- if T]' is a regulated pattern (hence the edge is an add-1 edge), i.e., the end of the 
current segment, then z' := {z-\-l) J,/ (synchronous progress followed by resets); 
r := 0; A' := 0; 
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- else, z' z; /' /; Z\' Zi + zi^. 

For each reset edge r\ -^r v'^ the instruction y' := y Ir is replaced by: 

- z' ■.= zir;A' -.^Air,!' —lUr. 

Obviously z are synchronous. The correctness of the algorithm is stated as follows. 

Claim. For any regulated path t, y = {z + A) [j at the end of r. 

Proof. Given a regulated path t. Since r can be split into a number of segments as 
mentioned before, and by looking at the translation, at the end of each add-1 path, 
A = and 7 = (i.e., the initial values for A and /). Therefore, it suffices to show the 
claim for a segment, i.e., a short path t, by induction on the length of r. Notice that, 
from the translation, / stands for the set of indices that has been reset on the short path; 
A stands for the increment that has been made on the short path for counters y. The 
relationship between / and A is established in Lemma |l3|, which will be used in the 
proof. 

Case 1 . The claim trivially holds for r with length 1 . 

Case 2. Assume the claim holds for short paths with length < m. Now consider a 
short path with length m + 1. This path can be written as a short path r followed by an 
edge e of (77, 77'). Note that, by the induction hypothesis, y = {z + A) li at t] (the end 
of r). Now we are going to show y' — {z' + A') li' where primed values are for node 
V'- 

Case 2.1. If edge e is a progress edge and 77' is a regulated pattern, then, from the 
translation, z' = {z + 1) ii, I' = %,A' = 0, Therefore, 
y' = y + A,f = (induction) 
(z + A) ii +A,j = (Lemma 111(1)) 
{z + A + A^) ii= (Lemma |l3|(2)) 
{z + 1) i/= z' = (since /' = 0, Z\' = 0) 
{z' + A') ij,. 

Case 2.2. If the edge is a progress edge and t]' is not a regulated pattern, then, from 
the translation, z' — z, I' ~ I, and A' ~ A + Ajj. Therefore, 
y' = y + A,f = (induction) 
{z + A) li +A,, = (Lemma gi)) 
{z + A + Z\,,) ii= (since /' = /, and A' = A + Z\,,) 
{z' + A') li,. 

Case 2.3. If the edge is a reset edge r/ -^r v'^ then, from the translation, z' ^ z Ir, 
A' = A Ir, and /' = / U r. Therefore, 
y' = y lr= (induction) 

{Z + A) iiir = 

{z' + A') ij,. 

Hence, the claim holds. I 

Now we continue the proof of Lemma Let G be the pattern graph of a timed 
automaton A. A path in G witnessing 

{3,7], U,w) {s',T]',u',w') 
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(with T] being a regulated pattern) between two configurations corresponds to a regulated 
path (by properly adding stack operations) in the pattern ordering graph V. In above, 
we have demonstrated a technique such that counters y = yo, ■ ■ ■ ,yk can be simulated 
by synchronous counters z ~ zq, - ■ ■ , Zk using an increment vector A G {0, 1}*^+^ 
and a reset set / C K^. The relationship between y and 2; is y = {z + A) J,/. 
Tests in G (including all the pre- and post- (progress, stay and reset) tests) are in the 
form of Boolean combinations of yi — yj^d, yt^d with i, j G and d G N+ 
(Section Since there are only a finite number of choices for / and A, these tests 
can be accordingly translated to tests on zq, - ■ ■ , Zk, using the relationship y = {z + 
A) I/. Observe that the translated tests are still in the form of Boolean combinations 
of Zi — Zj^d, Zi^d with i,j G and with probably larger or smaller d. Since z 
are synchronous, G, with y simulated by z, is a discrete PTA Jl^. In that paper, these 
synchronized discrete clocks z can be further translated into reversal-bounded counters. 
Hence, the binary reachability of a discrete PTA is NPCA as shown in [|l9|. Therefore, 
the lemma follows by translating back from ztoy using y = {z + A) \,j at the initial 
and at the end of the simulation (this requires only a finite number of counter reversals). 
Thus, is NPCA. 

In particular, when ^ is a timed automaton, G, with y simulated by z, is a discrete 
timed automaton [[l9|]. Using the fact | |l9| ] that the binary reachability of a discrete timed 
automaton is Presburger, — >q is also Presburger after the translation from z back to y. 

I 

The following lemma states that G faithfully simulates A when the fractional parts 
of dense clocks are abstracted away by a pattern. 

Lemma 14. Let Abe a PTA with pattern graph G. For any states sq and si in S, any 
pattern rj E <P, any stack words wq and Wi in F*, and any discrete valuation pairs 
(uq, Ml) with Uq{0) = 0, we have, 

(so, Mo, Wo) -^Xri (si,Mi,wi) iff {sq, init{ri) , Uq , Wq) (si,?7,Mi, Wi). 

Proof. Fix any states so, si G S, any pattern i] E <P, any stack words wo and wi in F*, 
and any discrete valuation pairs (mq, Mi) with Mo(0) = 0. 

(=>). By the definition of {so,Uo,'Wo) ^ (si,Mi,wi), there exists an initialized 
pair {vq,Vi) such that 

- {vq, Vi) has pattern 77, 

- [vol = "0, = "1' 

- isQ,Vo,wo) {si,vi,wi). 

In order to show that (sq, [(vo, '"0)], ['"ol , ^o) (si, [(^o, ■"!)], ['Wil , wi) (notice 
that init{r]) = [{vq, Vq)]), it suffices to show that each one-step transition in A can 
be simulated by properly: for any valuations v,v', any states s and s', and any 
stack words w and w', if {s,v,w) -^a {s',v',w') then {s,[{vq,v)], \v^,w) 
is\[ivo,v%\v'],w'). 

Case 1 . For any valuation v and state s, consider a progress transition in .A, {s,v, w) 
— >^ (s, V + 6, w'), 6 > 0, such that (by definition) w — w', and \/0 < S' < S,v + S' G 
Inv{s). Let 770 be the pattern of {vo,v). If v has no pattern change for S, then rjo must 
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be a merge-pattern. This progress transition in A can therefore be simply simulated 
by the stay edge in G at state s. If, however, v has at least one pattern change for 5, 
then assume the p-ring of rjo is r]Q, ■ ■ ■ ,1]^ — ?7o- This progress transition in A can 
be simulated by the following path consisting of progress edges in G: looping along 
the p-ring for \6~\ times on state s in G, followed by a prefix of the p-ring ended with 
the pattern rji, for some i, of {vq,v + S). From Lemma ^ and Lemma ^ it can be 
established (s, 770, ] , w) (s, rji, \v + 6~\, w) through the path in G, noticing that 
tests for Inv{s) are consistent in A and G (Lemma and the stack word does not 
change for progress transitions in both A and G. 

Case 2. For any valuation v and states s and s', consider a reset transition (s, v, w) 
— >^ (s'j V Ir, w') in A such that (by definition) w = aw", w' = ^w" for some w" with 
PD{s,s') = (0,7), R{s,s') = (c, r) and v e Inv{s) A c, v j^S Inv{s'). Assume 
the pattern of {vq, v) is 770 and the pattern of {vq, v Ir) is t]q. This reset transition in A 
corresponds to the reset edge in G: ((s, ?7o), c, r, a, 7, (s', 77q)). From Lemma ^ it can 
be established (s, rjo, [v] , w) (s', 77Q, [1; j^l , w') through this edge, noticing that 
tests for Inv{s) A c and Inv{s') are consistent in A and G (Lemma ||), and the stack 
operations are the same in A and G. 

(<^). Suppose {so,init{'ri),Uo,wo) (si, 77, Mi, wi). We would like to show 

{sq,Uo,Wo) {si,Ui,Wi). 

Pick any initial valuation Vq such that {vo,Vo) has pattern imi(ry) and [i;o] = Mo- 
Suppose (s", ?7o, w") ^"^1 • • ■ -^'^'^ (s™, rira, M™, w™) is a path (in G) witnessing 
(so, init{ri), Uq, wq) (si, ?y, tti, wi) through edges ei, • ■ • , e™ such that 

(s°,ryo,M",t«°) = {sQ,init{r]),Uo,WQ) 

and 

A path in A 

{s",v",w") (s™,v'",w") 

is constructed as follows, where = and each transition ti in A corresponds to 
each edge in G. From i = 1 to m, each belongs to one of the following three 
cases: 

Case L is a progress edge in G. In this case, nextijji^i^u^^^) — {rii,u'^), w"^ = 
w*"^, and s'~^ = s*. We pick to be a progress transition (at state s'^^) in ^ from 
with an amount of 6 that causes exactly one pattern change (Lemma^ and Lemma 

Take = v^~^ + 6. Notice that both the progress edge and the progress transition 
do not change the stack content, i.e., — w*"^. 

Case 2. is a stay edge in G. In this case, rji^i = rji must be a merge-pattern with 

= and and s'~^ = s*. We pick to be a progress transition (at state s*^^) in 
A from i)'^^ with an amount of 5 that causes no pattern change (Lemma Similarly 
to Case 1, ui* = w*^^. 

Case 3. is a reset edge from state s'^^ to state s' with clock resets r in G, then 
ti is the reset transition from state s*^^ to state with clock resets r in A. Notice that 
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both ei and U have the same stack operation. Take = v^^^ [ r and w"^ is the result 
of the stack operation on w*^^. 

Notice that, for each i ~ 1 ■ ■ ■ ra, 

- {vq, v"^) has pattern rji, 

- ft-'] = u\ 

This can be shown using Lemma |] for Case 1 , Lemma ^ for Case 2, and Lemma ^ for 
Case 3. Therefore, this constructed path of A keeps the exactly the same patterns and 
integral parts of clocks as well as the stack word as in the path for G. From Lemma ^ 
clock tests (and obviously the stack operations) are consistent between the path in G 
and the constructed path in A. Hence, (so, Wq, wq) — (sii Ui^wi) since, by taking 

Vi — V™, 

- {vo,Vi) has pattern 77, 

- [t;ol = uq, \vi~\ = ui, 

- iso,Vo,wo) -^j^ {si,Vi,Wi). 



Now, we conclude this section by claiming that -^*^ ^ is NPCA by combining 
Lemma |l2| and Lemma p4[ 

Lemma 15. For any PTA A and any fixed pattern 77 e — >^ ^ is NPCA. In particular, 
if A is a timed automaton, then — ^ is Presburger 

7 A Decidable Binary Reachability Characterization and 
Automatic Verification 

Recall that PTA A actually has clocks xi, - ■ ■ ,Xk- XqIS the auxiliary clock. The binary 
reachability of A is the set of tuples 

{s,vi, - ■ ■ ,Vk,w,s',v[, - ■ ■ ,v'f„w') 

such that there exist vq = 0, £ satisfying 

{s,Vo,-- ■,Vk,w) -^*^ {s',v'q,-- ■,v'f.,w'). 

The main theorem of this paper gives a decidable characterization for the binary reach- 
ability as follows. 

Theorem 1. The binary reachability of a PTA A is (D + 'NPCA)-definable. 
In particular, if A is a timed automaton, then the binary reachability can be 

expressed in the additive theory of reals (or rationals) and integers. 

Proof. From Lemma |ll|, is definable by the following formula: 

3u'„ e N+3v'„ e D+( V ((0, vi,---,Vk), [v'o, • • • , t;^)) £ r/A 
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(S, (0, -Ul, • • ■ , life), W) ^;a,7, (s'; ("O' • • ■ 7 Wfc): W')) 

on integer variables s,ui, ■ ■ ■ ,Uk, s' ,u'i, ■ ■ ■ ,u'i^ (over N+), and dense variables vi, - ■ ■ , 
Vk,v[, ■ ■ ■ ,v'i, (over D+ — D+ n [0, 1)), and on word variables w and w' . This formula 
is equivalent to 

V ^ (^1' ■ ■ ■ ^^k,v[, - ■ ■ , v'k) A (9^(S, Wl, • ■ ■ , Mfc, w, s', u'l, • ■ • , uj,, w') 

where {vi, ■ ■ ■ ,Vk,v[, ■ ■ ■ ,v'f.) stands for 

3i;^, em(((0,t.i,---,«fc),K,---,^^fc)) e??) 

and Q^{s, Ml, • ■ • , Ufc, w, s', u'^, • ■ • , u'^,, w') stands for 

3'Un((s, (0, Ml, • • • , Ufe), w) --^Xv ("O' • • • ' "fc)- ^'))- 

From the definition of patterns, , after eliminating the existential quantification, is 
a dense Unear relation. On the other hand, (after eliminating the existential quantifi- 
cation, from Lemma |l| and Lemma ^ is NPCA. Therefore, is (D + NPCA)- 
definable. 

In particular, if ^ is a timed automaton, is (D + NPCA) -definable by a 

formula in the additive theory of reals (or rationals) and integers. Hence, itself 
can be expressed in the same theory. I 

The importance of the above characterization for is that, from Lemma 0, the 

emptiness of (D + NPCA)-definable predicates is decidable. From Theorem and 
Lemma H(3)(4), we have. 

Theorem 2. The emptiness of I with respect to a PTA A for any mixed linear 
relation I is decidable. 

The emptiness of / n is called a mixed linear property of A. Many interesting 

safety properties (or their negations) for PTAs can be expressed as a mixed linear prop- 
erty. For instance, consider the following property of a PTA A with three dense clocks 
xi, X2 and x^: 

"for any two configurations a and (3 with a /3, if the difference between /J^, 
(the value of clock in (3) and a^^ + (the sum of clocks xi and X2 in a) is greater 
than the difference between ^a{(Xvr) (the number of symbol a appearing in the stack 
word in a) and ^b(Pw) (the number of symbol b appearing in the stack word in /3), 
then 4a{a^) - 2#b{P^) is greater than 5." 
The negation of this property can be expressed as the emptiness of 

{s,xi,X2,X3,w) '-^*^ {s',x[,X2,x'ri,w') A / 

where I is the negation of a mixed linear relation (hence I itself is also a mixed linear 
relation): 

4 - (Xi + X2) > #a{w) - #b{w') #a{w) ~ 2#t{w') > 5. 
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Thus, from Theorem g, this property can be automatically verified. We need to point 
out that 

- 0:3 — {xi + X2) > i^a{w) — ifb{w') is a linear relation on both dense variables 
and discrete variables. Thus, this property can not be verified by using the decid- 
able characterization for discrete PTAs [p^, where only integer- valued clocks are 
considered. 

- Even without clocks, #a('w) — 2^i,{w') > 5 expresses a non-regular set of stack 
word pairs. Therefore, this property can not be verified by the model-checking pro- 
cedures for pushdown systems P,p3||. 

- Even without the pushdown stack, — (xi +X2) > (by taking ^^(w) — #b(it;') 
as a constant such as 0) is not a clock region, therefore, the classical region-based 
techniques can not verify this property. This is also pointed out in [|6|. 

- With both dense clocks and the pushdown stack, this property can not be verified 
by using the region-based techniques for Timed Pushdown Systems [p^. 

When ^ is a timed automaton, by Theorem [l|, the binary reachability can be 

expressed in the additive theory of reals (or rationals) and integers. Notice that our 
characterization is essentially equivalent to the one given by Comon and Jurski [ p^ in 
which can be expressed in the additive theory of reals augmented with a predicate 
telling whether a term is an integer. Because the additive theory of reals and integers is 
decidable [pl[l2], we have. 



Theorem 3. The truth value for any closed formula expressible in the (first-order) ad- 
ditive theory of reals (or rationals) augmented with a predicate for a timed au- 



tomaton A is decidable. (also shown in [16]) 



For instance, consider the following property for a timed automaton A with two real 
clocks: 

"there are states s and s' such that, for any xi^X2tx'2, there exists x'l such that if 
(s, Xi,X2) can reach (s', x'i,X2) in A, then xi — X2 > x\ ~ x'2" 
It can be expressed as 

3s,s'\/xi,X2,x'23x\{{s,xi,X2) {s' ,x[,x'2) ^ X\ - X2 > x[ - X2), 

and thus can be verified according to Theorem 0. 



8 Conclusions, Discussions and Future Work 

In this paper, we consider PTAs that are timed automata augmented with a pushdown 
stack. A configuration of a PTA includes a control state, finitely many dense clock 
values and a stack word. By introducing the concept of a clock pattern and using an 
automata-theoretic approach, we give a decidable characterization of the binary reacha- 
bility of a PTA. Since a timed automaton can be treated as a PTA without the pushdown 
stack, we can show that the binary reachability of a timed automaton is definable in the 
additive theory of reals and integers. The results can be used to verify a class of safety 
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properties containing linear relations over both dense variables and unbounded discrete 
variables. 

A PTA studied here can be regarded as the timed version of a pushdown machine. 
Carefully looking at the proofs of the decidable binary reachability characterization, 
we find out that the underlying untimed machine (e.g., the pushdown machine) is not 
essential. We can replace it with many other kinds of machines and the resulting timed 
system still has a decidable binary reachability characterization. We will summarize 
some of these machines in this section. 

Consider a class of machines X. We use XCM to denote machines in X augmented 
with reversal-bounded counters. We are looking at the binary reachability characteriza- 
tion of the timed version of machines in X. The characterization is established in the 
previous sections when X represents pushdown machines. In the proofs, a dense clock 
is separated into a fractional part and an integral part. The fractional parts of dense 
clocks are abstracted as a pattern and the integral parts are translated into synchronous 
discrete clocks, which are further translated into reversal-bounded counters [[l9[|. The 
result of the translation is the underlying untimed machine in X augmented with these 
reversal-bounded counters, i.e., a machine in XCM. Suppose a class of automata Y ac- 
cept the binary reachability of machines in XCM. In the case of X being pushdown 
machines, XCM represents NPCMs and Y can be chosen as NPCAs (it is known that 
the binary reachability of NPCMs can be accepted by NPCAs [|9|.). The fact that this 
Y (i.e., NPCA) satisfies Lemma ^ is the only condition we need in order to obtain 
the decidable reachability characterization in Theorem |l} Definitions like NPCA pred- 
icates and (D + NPCA)-definability can be accordingly modified into Y predicates 
and (DH-Y)-definability once Y is clear. The above discussions give the following result. 

Theorem 4. Let Y be a class of automata, "S. be a class of machines and XCM be the 
class of machines in X augmented with reversal-bounded counters. If for each machine 
in XCM, an automaton in Y can be constructed that accepts the binary reachability of 
the machine, and Lemma ^holds (replacing NPCA with Y), then the binary reachability 
of the timed version ofS. is (T)+Y )-definable. 

Notice that Lemma (4) requires that the emptiness problem for Y in Theorem ^ 
be decidable. Theorem g can be immediately followed from Theorem ^ for the timed 
version of X. 

According to Theorem ^ the timed version of the following machines X has a de- 
cidable (DH-Y)-definable characterization for binary reachability by properly choosing 
Y: 

- NPCM. Here Y=NPCA; 

- NCM with an unrestricted counter Notice that the counter is a special case of a 
pushdown stack (when the stack alphabet is unary). Here, Y=NPCA; 

- Finite-crossing NCM (i.e., NCM augmented with a finite-crossing read-only 
worktape. The head on the worktape is two-way, but for each cell of the tape, the 
head crosses only a bounded number of times.). Here, Y is finite-crossing NCAs 
[ p8| ] that are NCM augmented with a finite-crossing input tape. 

- Reversal-bounded multipushdown machines [|7|] that are multipushdown machines 
[ [l3| ] augmented with reversal-bounded counters. Here, Y is reversal-bounded mul- 
tipushdown automata [ p^ . 
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Let X be a class of machines. The pattern technique tells us that, for a decidable 
binary reachability characterization of the timed version of X, the density of clocks 
(and even clocks themselves) is not the key issue. This is because, using the technique, 
these dense clocks can be reduced to reversal-bounded integer counters. The key issue is 
whether X and its reversal-bounded version XCM have a decidable binary reachability 
characterization (i.e., the binary reachability can be accepted by a class Y of automata 
with a decidable emptiness problem). In particular, when the binary reachability of X 
is effectively semilinear (and hence the binary reachability is decidable), in most cases, 
the binary reachability of XCM is also effectively semilinear Such X includes all the 
machines mentioned above. In this case, once we can show the untimed machines in 
X have a decidable binary reachability characterization, we are getting really close to 
the decidable characterization for their timed version. But, we do have exceptions. For 
instance, consider X to be a finite state machine with a two-way read only worktape. X 
has a decidable binary reachability characterization (witnessed by two-way multitape 
finite automata). However, augmenting X with reversal-bounded counters makes the 
binary reachability undecidable. The pitfall here is that a two-way tape makes reversal- 
bounded counters too powerful. In fact, the emptiness problem is undecidable for two- 
way automata augmented with reversal-bounded counters. In the case when there is 
only one reversal-bounded counter, the emptiness problem is decidable if the machines 
are deterministic. The nondeterministic case is still open 



In practice, augmenting timed automata with other unbounded data structures al- 
lows us to study more complex real-time applications. For instance, the decidable char- 
acterization of PTAs makes it possible to implement a tool verifying recursive real-time 
programs containing finite-state variables against safety properties containing linear 
constraints over dense clocks and stack word counts. This tool will be a good comple- 
ment to available tools for recursive finite state programs (for regular safety properties, 
e.g., termination) [22 ?[]. On the other hand, for the existing tools analyzing real-time 
systems (such as UPPAAL [|o[ and its extensions TREX ||3ll, HyTECH 



Kronos [|1 1[|), the traditional region-based technique used in the tools may be enhanced 
with the pattern technique. Doing this makes it possible for the tools to verify complex 
timing requirements that may not be in the form of clock regions. The results in this 
paper can also be used to implement a model-checker for a subset of the real-time spec- 
ification language ASTRAL The subset includes history-independent ASTRAL 
specifications containing both dense clocks and unbounded discrete control variables. 

As mentioned in this section, the timed version of NPCM (i.e., PTAs further aug- 
mented with reversal-bounded counters) also has a decidable characterization. This 
timed model has many important applications. For instance, a real-time recursive pro- 
gram (containing unbounded integer variables) can be automatically debugged using 
the reversal-bounded approximation (i.e., assign a reversal-bound to the variables). Ad- 
ditionally, a free counter (i.e., an unrestricted counter) is a special case for a pushdown 
stack (when the stack alphabet is unary). Therefore, this model can also be used to spec- 
ify real-time systems containing a free counter and many reversal-bounded counters. 
It seems that "reversal-bounded counters" appear unnatural and therefore their appli- 
cations in practice are remote. However, a non-decreasing counter is also a reversal- 
bounded counter (with zero reversal-bound). This kind of counters have a lot of appli- 
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cations. For instance, a non-decreasing counter can be used to count digital time elapse, 
the number of external events, the number of a particular branch taken by a nonde- 
terministic program (this is important, when fairness is taken into account), etc. For 
instance, consider a timed automaton with input symbols (i.e., a transition is triggered 
by an external event as well as the enabling condition). We use to denote the num- 
ber of event a occurred so far The enabling condition of a transition, besides clock 
constraints, may also include comparisons of the counts #a against an integer constant 
and comparisons of one specific linear term T (on all against an integer constant. 
For instance, a transition may look like this (in pseudo-code): 

s: if event (a) and X2 — xi>\0 and > 21 and 2#c — 3#fc<5, 
then progress ; goto s' 

where xi and X2 are dense clocks. Notice that comparisons of the linear term 2^c — ^ifb 
against an integer constant may show up in other transitions. But this term is unique in 
the automaton: a comparison Uke — ^ihb > 8 that involves a different term — 
3#b can not be used in the enabling conditions of the automaton. This timed automaton 
is a standard timed automaton augmented with reversal-bounded counters (which 
are non-decreasing) and a free counter (representing the Unear term 2^c — 'iif'b)- Hence, 
the following property can be automatically verified: 

"It is always true that whenever xi — 7#b + 3x2 > holds, xi must be greater 

#c - #a-" 

A future research issue is to investigate whether the decidable results [ pi] ] for Pres- 
burger liveness of discrete timed automata can be extended to timed automata (with 
dense clocks) using the technique in this paper. We are also going to look at the pos- 
sibility of extending the approximation approaches for parameterized discrete timed 
automata pO| ] to the dense clocks. This is particularly interesting, since the reachability 
set presented in [ pO[ ] is not necessarily semilinear. Another issue is on the complexity 
analysis of the decision procedure presented in this paper. However, the complexity for 
the emptiness problem of NPCAs is still unknown, though it is believed that it can be 
derived along Gurari and Ibarra |]24|]. 

The author would like to thank H. Comon and O. H. Ibarra for discussions on the 
topic of dense timed pushdown automata during CAV'OO in Chicago, B. Boigelot, P. 
San Pietro and J. Su for recent discussions on [p^, J. Nelson, F. Sheldon and G. Xie for 
reading an earlier draft of this paper Thanks also go to T. Bultan, H. Comon, J. Esparza 
and K. Larsen for comments on the short version of this paper presented in CAV'Ol in 
Paris. 
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